Yes, it’s stupid, but it’s more than an oversight.
First, someone (presumably an engineer debugging something) disabled a security feature, but they failed to revert it when they were done, and they committed the change to the source repo. Well, that’s bad. But sh*t happens, bad commits do happen. It was not terrible at this level — it should have gotten caught and corrected at the next level.
Then at the next level, whoever was supposed to review commits missed it. That’s worse than the original mistake. The error became considerably worse because now it’s assumed to be okay.
Then the error was built into the release, and QA failed to test for it. This is egregious. QA shouldn’t have to find this kind of error — you can’t “test software until it works”. But even so, this wasn’t a difficult bug to exercise, if you have the resources of Apple. My God, they’ve got hundreds of QA people, they’ve got automated testing setups. But still, QA didn’t find it.
More than an oversight. This was a systemic failure of the first order.
BTW, I’ve done professional industrial strength software testing since the late 1970’s, so I get to be a little righteous about this one. I’m very disappointed in Apple and I expect them to fire a few people over this.
Oh, I agree. I think someone really screwed up. But who thinks about checking to see if a null password is acceptable when it was not OK before, especially in something as obscure as creating Root user ability? It's one of those things only 1 in ten thousand users ever do and then those only do it once. It is not something a user does repeatedly and it is not something one does on a Mac over and over again to test. It's actually a pain in the rear to undo so one can try again because once the root user is created, password is set and can only be changed.
As you can see above, I finally figured out what is REALLY going on with this "vulnerability." It's not a true coding error that allows the creation of a new root user without a password, it's that someone left their Root User account open with no password and it wound up in the Gold Master.
That's the only thing that meets the criteria of how this "vulnerability" works. . . and the "root" user is in the user list. This isn't "creating" a root user, it's only invoking an already existing root user.